- Hackers relaunch ClickFix attacks on macOS
- New method abuses script editor via URL scheme
- Campaign offers Atomic Stealer to exfiltrate sensitive data
Hackers are adding new variations to the old ClickFix attack to bypass recently introduced macOS protections while continuing to deliver infostealer malware to users’ devices, experts have warned.
Security researchers Jamf Threat Labs recently spotted such a campaign in the wild, having noted that until now, ClickFix attacks on macOS attempted to trick the victim into copying and pasting a command into the terminal.
However, with macOS 26.4, this method no longer works, because the device analyzes all pasted commands before they are executed. So the miscreants got creative and found a new entry point: the script editor.
Article continues below
Removal of AMOS
Script Editor is a built-in macOS application that allows users to write, edit and run scripts to automate tasks and control applications. It supports AppleScript and JavaScript, allowing users to streamline certain actions without the need to create entire software packages.
To trick victims into running Script Editor, the attackers used a URL scheme.
“Script Editor has a well-documented history as a malware delivery mechanism, so its presence here is not surprising,” the researchers wrote. “What is remarkable is its role in this ClickFix campaign and the fact that it was invoked via a URL scheme.”
A URL scheme is a special type of link that uses a custom prefix to trigger specific actions.
During the campaign, the scammers created a website offering a way to “reclaim disk space” on a Mac. To do this, users will need to press the “Run” button displayed on the page that invoked an applescript:// URL scheme. The system prompted the user to open the script editor which, if approved, would run with a pre-populated script.
“This approach reduces direct interaction with the user,” Jamf added. “The user is guided from a web page to a pre-populated script editor window rather than entering commands in the terminal.”
The script would ultimately deploy Atomic Stealer, a known macOS information stealer capable of exfiltrating passwords, cryptocurrency wallet information, data stored in browsers, and more.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
